Bob, You could do this but if you did you would have to configure the firewall outside interface to pass VPN traffic. If you configure the firewall to pass VPN traffic you lose the capability of using that outside firewall interface to terminate site to site VPN connections. I like leaving that capability available in case I have to build a site quickly.
The other issue is that the "real" IP address for the concentrator shows up on the firewall, and the firewall passes the allowed traffic traffic through. For troubleshooting sake you might find yourself allowing the firewalls outside interface to respond to pings. This is in case a remote user wants to check to see if they can reach your site. Great for troubleshooting, I hate turning on ping for the firewalls outside interface. Liberty for All, Brian At 01:58 PM 10/16/2001 -0700, bob bobing wrote: >Or if you have the enough nics free put both vpn nics >behind the firewall. > >exmple (firewall has 4 nics) outside, inside, dmz1 and >dmz2. hope the diagram comes out ok. > >outside >| / Outside vpn nic. (dmz1) >firewall >| \ Inside vpn nic. (dmz2) >inside > >This way you can keep state of all connections, vpn >connections to the outside nic, and connections >comming from the VPN to the internal network. You can >also filter to you harts delight. > >NOTE: you do need to make sure you are not using auth >header (proto 51 i think) because of nating issues. > >just open proto 50 and udp 500 to the vpn. If you >can't >setup a routable ip on the vpn's outside nic, then >setup a static NAT from the outside to the vpn's >outside nic. Also note that you will need to do NAT on >the vpn to give a path for the internal network to >route back though the vpn for remote user. > >just a thought... > >--- Brian Ford <[EMAIL PROTECTED]> wrote: > > Ivan, > > > > You are correct in that the VPN3015 does not > > currently have a stateful > > firewall. It does support access control lists. > > > > At this time there is no way to get through a > > VPN30xx concentrator other > > than using one of the VPN clients. To date there > > have been no compromises > > of that platform. > > > > I would suggest you look at installing the VPN3015 > > concentrator on a > > perimeter network off your existing firewall. That > > way the 3015 can be > > accessed by VPN clients on the Internet via it's own > > public IP > > address. Any attempts to get through the > > concentrator would need to pass > > through the firewall, so you can enforce policy on > > anything that comes > > through the concentrator. > > > > Liberty for All, > > > > Brian > > > > At 10:11 AM 10/16/2001 -0700, Ivan Lopez, TRI wrote: > > >Message: 11 > > >From: "Ivan Lopez, TRI" <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: CISCO VPN CONCENTRATOR, USE BEHIND A > > FIREWALL? > > >Date: Tue, 16 Oct 2001 11:04:46 -0400 > > > > > >We recently bought a Cisco VPN Concentrator 3015. > > >We've been told that since it does not have > > firewall capabilityes, it is > > >Not safe to have it's outside interface on the > > Internet Side. > > >Is that true? Do we need to put a firewall in front > > of it? > > >In that case, wich ports need to be open? > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > >__________________________________________________ >Do You Yahoo!? >Make a great connection at Yahoo! Personals. >http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
